60 apps Privacy
Radicale screenshot thumbnail

Radicale

Calendars, to-do lists, journal entries, and contacts, synced over the open CalDAV and CardDAV standards nearly every client already speaks: Radicale is a small pure-Python server that works with Thunderbird, DAVx5 on Android, Apple Calendar and Contacts, GNOME, and many more. Its defining design choice is radical simplicity: there is no database. Events live as plain .ics files and contacts as .vcf files in an ordinary folder structure, which makes backup a copy command, migration a move, and disaster recovery a matter of reading text files. The server works out of the box with no complicated setup, then grows as needed: flexible authentication (htpasswd files among other methods), per-collection authorization rules, TLS-secured connections, and a plugin system for extending storage, auth, and rights handling. Built-in limits on parallel connections, file sizes, and failed authentication attempts harden it for network exposure behind a reverse proxy. A bundled web interface handles creating and managing calendars and address books - useful since many clients cannot create collections themselves. Maintained since 2011 with 140+ contributors, GPLv3-licensed, and light enough to run on the smallest VPS or a Raspberry Pi.

Deploy
Roundcube screenshot thumbnail

Roundcube

Two decades of continuous development made Roundcube the standard-bearer of open-source webmail - a PHP IMAP client that gives any mail server a polished, application-like interface in the browser. It connects to whatever IMAP/SMTP stack you run - Dovecot, Postfix, a hosted mailbox - and delivers the full desktop-client experience: drag-and-drop message management, threaded conversation views, full MIME and HTML mail handling, find-as-you-type address book with groups and LDAP connectors, multiple sender identities, full-text search, and spell checking in dozens of languages. The default Elastic skin is genuinely responsive, working as well on a phone as a desktop, and the entire UI is skinnable. The plugin API is where deployments get shaped: managesieve exposes server-side filter management in the UI, enigma brings PGP encryption and signing via GnuPG, markasjunk trains spam filters, zipdownload batches attachments, password lets users change credentials, and attachment_reminder catches the classic forgotten-attachment email - among hundreds of community plugins. Built-in caching keeps large mailboxes fast, IMAP ACLs and shared folders support team setups, and XSS protection is engineered into the rendering pipeline. It scales from a single personal mailbox to unlimited users, backed by MySQL, MariaDB, PostgreSQL, or SQLite. GPL-licensed with regular security releases.

Deploy
SearXNG screenshot thumbnail

SearXNG

Up to 280 search services - Google, Bing, DuckDuckGo, Brave, Qwant, Startpage - aggregated without tracking or profiling: SearXNG is a privacy-respecting metasearch engine (AGPL-3.0, successor to Searx). Your instance queries the upstream engines on your behalf: your IP address, cookies, and search history never reach them, tracker parameters are stripped from result URLs, and an optional image proxy fetches thumbnails server-side so result pages leak nothing. It can even route outbound queries through Tor for full anonymity. Search is organized into categories - general, images, videos, news, maps, music, IT, science, files - with bang shortcuts for targeting specific engines, and every source can be enabled, disabled, or weighted per category in settings.yml. A plugin system adds calculators, hash tools, tracker removal, and unit conversions inline, and preferences (themes, safe search, languages, engine selection) persist in cookies rather than server-side accounts. The real argument for running your own instance rather than trusting a public one is control: you decide the logging policy (none), the engine mix, rate limiting, and who gets access - making it the default search backend for browsers, families, and teams that want Google-quality results without the profile.

Deploy
Lenpaste screenshot thumbnail

Lenpaste

Share code snippets, logs, configs, and notes without registration, tracking, or ads: Lenpaste is a minimal, self-hosted, anonymous alternative to pastebin.com. It is deliberately spartan in the right ways: no accounts, no JavaScript required (the entire site works in text browsers and hardened setups), and cookies used solely to store display preferences. Pastes support syntax highlighting across a long list of languages (from ApacheConf and Arduino to mainstream stacks), configurable expiration from minutes to unlimited, one-use "burn after reading" pastes that self-delete on first view, optional author attribution, and iframe embedding for dropping pastes into other pages. The form-encoded HTTP API covers everything the UI does - create pastes with title, syntax, expiration, and line-ending normalization, fetch them by ID, and query server capabilities - making it trivial to pipe command output to your paste server from shell scripts. Server operators control maximum title and body lengths, maximum paste lifetime, rate limits for viewing and creation, search-engine indexing policy, and can lock private instances behind HTTP Basic authentication. It deploys as a single lightweight Docker container, giving your team a snippet-sharing endpoint where the content never touches a third-party service.

Deploy
Vaultwarden screenshot thumbnail

Vaultwarden

The Bitwarden server, reimplemented in Rust: Vaultwarden (formerly bitwarden_rs) is the unofficial lightweight edition. It speaks the same wire protocol as the official server, so every official Bitwarden client - browser extensions, iOS, Android, desktop, and the bw CLI - connects without modification, while the server itself runs as a single container against SQLite (or MySQL/MariaDB/PostgreSQL) instead of the official multi-container stack that wants gigabytes of RAM. Features Bitwarden gates behind paid tiers ship free: organizations with collections, groups, member roles, and policies; TOTP code storage; file attachments; Bitwarden Send; Emergency Access; event logs; and admin password reset. Two-factor options cover authenticator apps, email, FIDO2 WebAuthn, YubiKey, and Duo, and OIDC-based SSO landed natively in v1.35.0. Zero-knowledge encryption is unchanged - vault data is encrypted client-side and the master password never reaches the server. Attachments and Sends store on local disk or S3-compatible backends, an admin panel manages users and server settings, and backup is copying one data directory. Suited to individuals and teams up to roughly 50 users.

Deploy
Ghostfolio screenshot thumbnail

Ghostfolio

Stocks, ETFs, crypto, bonds, precious metals, and cash across every account and currency, in one privacy-first dashboard: Ghostfolio is open-source wealth management software. The deliberate design decision is no brokerage linking: positions enter by manual entry, CSV import, or the REST API, so your holdings never pass through a data aggregator. Performance is measured as return on average investment across Today, WTD, MTD, YTD, 1Y, 5Y, and Max timeframes, with benchmark comparison against indices like the S&P 500, dividend tracking, and allocation breakdowns by asset class, region, and sector. A static X-ray analysis flags concentration and other portfolio risks, and a FIRE calculator projects progress toward financial independence. Multi-currency support converts holdings using historical exchange rates, market data comes from Yahoo Finance and CoinGecko among other pluggable providers, and everything exports back out as CSV or JSON. Built with Angular and NestJS on PostgreSQL and Redis, shipped as Docker images for amd64 and ARM, with a mobile-first PWA interface, dark mode, and a distraction-free Zen mode. AGPL-licensed.

Deploy
Passbolt screenshot thumbnail

Passbolt

Security-conscious IT departments pick Passbolt for its cryptography: every user holds an OpenPGP key pair, and shared credentials are encrypted individually to each recipient's public key - real end-to-end encryption, not a vault password handed around. All crypto runs client-side in the mandatory browser extension (distributed and signed through the Chrome and Firefox stores, deliberately separating the crypto code from the server that stores ciphertext); private keys and passphrases never touch your instance, and the server admin cannot read a single secret. Authentication uses the challenge-based GpgAuth protocol, secrets are digitally signed to verify sender integrity, and metadata encryption extends protection to resource names and URLs. Day to day it behaves like a polished commercial manager: auto-fill and auto-save in forms, strong password generation, anti-phishing protection, TOTP storage, folder hierarchies shared per-user or per-group with fine-grained permissions and instant cryptographic revocation. Native iOS, Android, and desktop apps ship alongside a JSON API, CLI, and SDKs for CI/CD secret retrieval and rotation. The PHP server runs on MariaDB and is AGPL-licensed open source - including the paid tiers' codebase - with published security audits.

Deploy
Omni Tools screenshot thumbnail

Omni Tools

The ad-riddled "free online tools" sites people paste sensitive text into and upload confidential PDFs to - OmniTools replaces that whole ecosystem with one self-hosted app. It bundles 50+ utilities behind one clean React/TypeScript interface: image tools (resize, convert, crop, edit), video and audio tools (trim, reverse, convert), PDF tools (split, merge, edit), text and list utilities (case converters, formatters, shufflers), plus date/time, math, and data-format helpers for JSON, CSV, and XML. The architectural decision that makes it trustworthy is that all file processing happens entirely client-side in the browser - the server only serves static assets, and nothing you process ever leaves your device. That design has a pleasant side effect: the host needs almost no resources (people run it on a Raspberry Pi Zero), because your browser does the work while the server just delivers files. The Docker image is a remarkable 28 MB, making it one of the fastest apps to deploy and cheapest to keep running. There are no ads, no tracking, no accounts, and no upload limits. With multi-language support and an MIT license, it works equally well as a personal toolbox or a team-wide internal utility portal - one URL that replaces a bookmark folder full of questionable converters. Actively developed with 50 contributors and 9,500+ GitHub stars.

Deploy
Monica screenshot thumbnail

Monica

Take the tool sales teams use to never forget a client detail and point it at the people who actually matter - friends, family, the colleague whose kid's name you keep blanking on: Monica is a personal CRM. It's a Laravel/PHP application over MySQL where each contact accumulates the texture of a real relationship: how you met, family members and pets, work changes, addresses, notes from conversations, activities done together, gift ideas and gifts given, even debts owed in multiple currencies. Two features set it apart from every contact app. Reminders with staying power: set per-contact intervals (weekly through yearly), get notified at 30 days, 7 days, and day-of, with automatic birthday reminders and CalDAV sync to your calendar. And a journal linked to contacts: write about dinner with friends, tag each person, and build a timeline that's part diary, part relationship log - plus a daily "how was your day" rating. Monica is deliberately manual and deliberately private: no social network features, no AI, no email scraping, no ads, no analytics - a quiet database of what you know about people you love, on your own server. Multiple vaults and users, labels, custom activity types, and document/photo uploads round it out. AGPL-licensed.

Deploy
Jirafeau screenshot thumbnail

Jirafeau

Upload a file, get a unique download link and a separate delete link - Jirafeau has done exactly this one thing since 2008. It is plain PHP with no database, no mail server, no JavaScript framework, and no external dependencies - files and metadata live on the filesystem, which is why it runs on nearly anything and why it has outlasted most of its imitators. Uploads use the HTML5 file API, so PHP's post_max_size ceiling does not constrain file size, with live progress showing speed, percentage, and time remaining. Every upload takes options: expiration from one minute to a year to unlimited, self-destruct after first download, and password protection with configurable policy - passwords can be optional, required, or server-generated with complexity rules. Server-side encryption (modern builds use XChaCha20-Poly1305) stores files encrypted at rest with the decrypt key embedded only in the download URL, never on the server, so a compromised host cannot read the contents. Unencrypted deployments get file-level deduplication - identical files stored once with multiple links. Upload access can be gated by password lists or IP allowlists, a small admin panel manages stored files, and a CLI cleanup script handles expired files via cron. Recipients can preview supported files in-browser.

Deploy
ExpenseOwl screenshot thumbnail

ExpenseOwl

Log a date, amount, and category; get a clean monthly pie chart and a cashflow strip showing income, expenses, and net balance - ExpenseOwl is expense tracking stripped to what actually matters. The MIT-licensed Go application deliberately is not a budgeting system - no envelopes, no accounts, no double-entry, no bank sync - because its author found tools like Firefly III and Actual too heavy for the simple question "where did this month's money go?" The dashboard makes that question fast: click a pie slice to exclude fixed costs like rent and see discretionary spending clearly, then drill into a chronological table view to inspect or delete individual transactions. Recurring transactions handle salaries and subscriptions automatically, optional tags add a second classification axis, and settings cover custom categories, currency symbol, and a configurable month start date for non-calendar pay cycles. CSV import migrates data from virtually any other tool, and CSV export keeps your data portable. It ships as a self-contained binary and multi-architecture Docker image with zero internet interaction, stores data in flat JSON files by default (PostgreSQL optional), and installs as a PWA on phones. Single-user by design; pair it with an authenticating reverse proxy if exposed publicly.

Deploy
Miniflux screenshot thumbnail

Miniflux

One statically-compiled Go binary over PostgreSQL, no ORM, no framework, static assets embedded in the executable: Miniflux is the minimalist, opinionated feed reader. The opinions are the feature: page layout, fonts, and colors are tuned for reading, and everything else is treated as noise. It consumes Atom, RSS, and JSON Feed formats with OPML import/export, organizes articles with categories and bookmarks, fetches original full-text content for summary-only feeds, and provides Postgres-powered full-text search. Privacy work happens automatically: pixel trackers are stripped, tracking parameters removed from URLs, a media proxy blocks third-party tracking, referrers are never forwarded, and there is zero telemetry. Navigation is keyboard-first - j/k through items, o to open, f to star - with touch gestures on mobile. Podcast, video, and music enclosures are supported, and YouTube videos play inline. Over 25 integrations save articles onward to Wallabag, Readwise Reader, Pinboard, Linkding, Instapaper, Notion, Telegram, Matrix, Ntfy, and more, plus webhooks and a REST API with Go and Python clients; the Google Reader API endpoint supports existing mobile reader apps. Authentication spans local passwords, passkeys (WebAuthn), Google OAuth2, OpenID Connect, and reverse-proxy headers. It is Apache 2.0 licensed, translated into 20 languages, and updates feeds on an internal scheduler.

Deploy
Usermemos screenshot thumbnail

Usermemos

Memos, the lightweight open-source note service from the usememos project, packaged as a containerized deployment for multi-architecture Docker hosts (x86-64 and arm64): that is Usermemos. The model is frictionless capture: no folders or titles, just a chronological stream of Markdown notes with code blocks, task lists, tables, and file attachments, organized by #hashtags pulled automatically from the text. Per-memo visibility - private, protected for logged-in users, or public - lets a single instance serve as a personal journal, a shared team log, or a public microblog simultaneously. Multi-user support with authentication makes it workable for small teams, and full REST and gRPC APIs open capture and retrieval to CLIs, bots, and automation tools. The runtime is a single Go binary with a React frontend that idles around 50 MB of memory and stores content as plain Markdown in SQLite by default, with MySQL and PostgreSQL available for heavier deployments. Configuration happens through environment variables, access works over HTTP or HTTPS behind a reverse proxy, and there is no telemetry - notes stay on your server in a portable format.

Deploy
Plausible screenshot thumbnail

Plausible

Built as a direct rejection of the adtech model, Plausible is the best-known privacy-first web analytics tool - lightweight, cookie-free, and open-source. It sets no cookies and stores no personal data: unique visitors are counted via a hash of IP plus User-Agent that rotates every 24 hours and is never stored raw, so no consent banner is required and GDPR compliance is structural rather than contractual. The tracking script is under 1 KB - orders of magnitude lighter than GA - and the dashboard is a deliberate contrast to GA4's sprawl: one fast-loading page with visitors, sources, top pages, countries, devices, and UTM breakdowns, filterable by any dimension. Custom events and goals track signups and clicks, Google Search Console integration pulls in search queries, scheduled email reports keep stakeholders updated, and the Stats API (v2) plus CSV export feed data anywhere. This is the AGPL-licensed Community Edition, the same Elixir codebase that powers Plausible's cloud service, running as three containers: the web app, PostgreSQL for accounts, and ClickHouse for event storage - which means self-hosters get direct SQL access to raw analytics data the cloud version never exposes. Traffic data stays entirely on your server, with no visitor caps or per-pageview pricing.

Deploy
mCaptcha screenshot thumbnail

mCaptcha

The CAPTCHA bargain - annoy your users and feed their behavior to Google - gets replaced with economics by mCaptcha. Instead of image puzzles, it uses SHA256 proof-of-work: every visitor's browser silently solves a small computational challenge (via a WebAssembly library) before submitting a form. Humans never notice the milliseconds; bots hammering your site must burn more compute sending requests than your server spends answering them, which makes attacks more expensive than defense - the property that also makes mCaptcha genuine DoS protection, not just bot filtering. Written in Rust, the system is fully automated: difficulty scales with traffic, so challenges stay trivial in normal conditions and harden under attack. The privacy and accessibility wins are structural rather than promised: no tracking, no profiling, no user-pattern data collection, and no visual puzzles that exclude users with visual or cognitive impairments - the design was published in Communications of the ACM. Rate limiting is IP-independent, so users behind NATs, VPNs, or Tor get the same experience instead of endless challenge loops, and proofs resist replay attacks, neutering captcha farms. Migration is deliberately easy: the API is compatible with reCAPTCHA and hCaptcha, making it a drop-in replacement. AGPL-licensed core with proprietary-friendly client libraries.

Deploy
BeaverHabits screenshot thumbnail

BeaverHabits

No targets, no gamification spiral, no motivational nagging: Beaver Habit Tracker is a self-hosted habit tracker deliberately built without "Goals". The core loop is honest: add habits, check them off each day, watch streaks accumulate on a calendar view. Its design follows behavioral-science basics - make it obvious (visual streak cues), make it attractive (progress is the motivator), make it satisfying (tracking becomes its own reward). Beyond the daily checklist it supports per-day notes intelligently grouped per habit, periodic habits, habit categories and tags, drag-to-reorder (manual or automatic), dark mode, and detailed streak and frequency views. Data lives where you choose: a single SQLite database or flat JSON files on a mounted volume, with JSON export and import for full portability. A REST API opens automation - community integrations already cover Stream Deck buttons, Home Assistant triggers, and CalDAV. The Python app ships as one Docker container with no external dependencies; environment variables tune everything from first day of week and index-page columns to iOS standalone PWA mode, and single-user setups can bypass the login entirely with TRUSTED_LOCAL_EMAIL. BSD-3-Clause licensed with no commercial restrictions - a well-executed single-purpose tool whose mobile PWA works anywhere a browser does.

Deploy
LibreTranslate screenshot thumbnail

LibreTranslate

Machine translation with no Google, no Azure, no per-character billing, and no text leaving your infrastructure: LibreTranslate is a free, open-source translation API that runs entirely on your own server. The engine underneath is Argos Translate, which runs OpenNMT neural models with SentencePiece tokenization and Stanza sentence-boundary detection, all offline. Models install as portable .argosmodel packages covering dozens of languages - English, Spanish, French, German, Chinese, Japanese, Russian, Arabic, Hindi, Portuguese, and many more - and Argos handles automatic pivoting: with es-to-en and en-to-fr installed, it chains them to translate es-to-fr without a direct model. The API is a straightforward HTTP POST to /translate with source and target language codes, returning JSON - simple enough that the ecosystem has clients in every major language and integrations across tools like Weblate and Mastodon. Beyond plain text it translates HTML while preserving markup and handles whole file uploads (documents in, translated documents out), plus automatic language detection when the source is unknown. A clean bundled web UI serves interactive translation for end users, and optional API keys with rate limits control access. AGPL-licensed and trainable with custom models, it is the standard answer when translation must be private, unmetered, and self-contained - GDPR-sensitive text never touches a third party.

Deploy
Matomo screenshot thumbnail

Matomo

Several EU data protection authorities have ruled Google Analytics deployments unlawful; Matomo (formerly Piwik) is the most complete open-source replacement - a full analytics platform with 30+ report types across visitors, actions, referrers, goals, and ecommerce. The self-hosted PHP/MySQL edition is free and keeps every byte of visitor data on your infrastructure, which matters more each year: several EU data protection authorities have ruled Google Analytics deployments unlawful, while Matomo configured for cookieless tracking is approved by France's CNIL for use without a consent banner. All reporting runs on 100% unsampled data - no extrapolation at high traffic volumes. The GDPR Manager handles data subject requests and deletion, with IP anonymization, retention controls, and Do Not Track support built in. A dedicated importer pulls your historical Google Analytics data so years of trends survive the migration. Core analytics cover campaigns, custom variables and dimensions, entry/exit pages, downloads, site search, and full ecommerce tracking with a comprehensive HTTP API for reporting and ingestion. Premium plugins extend the platform into Hotjar-class behavioral tooling - click and scroll heatmaps, session recordings, conversion funnels, form analytics, A/B testing - plus a tag manager and SAML SSO. For teams that need GA-equivalent depth with actual data ownership, Matomo is the realistic drop-in replacement.

Deploy